logo

Live Production Software Forums


Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
xemles  
#1 Posted : Tuesday, November 17, 2020 9:08:20 AM(UTC)
xemles

Rank: Advanced Member

Groups: Registered
Joined: 11/25/2019(UTC)
Posts: 42
France, Metropolitan
Location: Bordeaux

Was thanked: 2 time(s) in 2 post(s)
Hello,

A bit ago, I made a mistake, I was using the Web Controller on a Remote Server and forgot to put a password. Someone hijacked it, it lasted only a few seconds because I knew what I was doing, but it still happened.


I wanted to make this message as a warning, and as an advice.

Web Controller is enabled by default, so if you are using vMix on a server or a network without any firewall, please check and disable it in Settings -> Web Controller.


But Why?

Let me explain.
I wanted to check if I was alone with my vMix exposed on the Internet, and I found hundreds of them, from Churches to TV Productions, going by Podcasts Hosts, Sports Productions, Web TVs using vMix as their Playout System and many more.


What's the risk?

With the Web Controller without a password, anybody can have a total control over your vMix. From changing inputs, to start or stop streaming, changing titles in your vMix. Anything.

Just check by yourself with the Developer API what is possible.

As you can see, they can event "Send Keys" on your PC, so if they know what they're doing, they could even take over your streaming machine.



I contacted in the past few days dozens of companies, individuals, French and English speaking to tell them about this vulnerability, sadly I could not contact all of them with just the informations in their vMix and not everyone took it seriously and there is still a lot of them unprotected.

Please vMix Team, please disable Web Controller by default or allow only local networks to access it with the default settings.
(Please don't just put a "default password" that would be the same on every device since it would end up being leaked anyways)

Also vMix team, I have a bunch of IP Addresses that I can't contact because their vMix doesn't have enough information so if I can give you those IPs so you can let them know that would be really cool.

A Congolese TV Channel didn't take me seriously while I can literally do anything on their channel.

I couldn't contact those dozens of Church, because how are you going to explain them just the concept of IP Addresses.

I couldn't contact dozens of companies where I don't speak their language.

Please, do something before malicious people do.
DWAM  
#2 Posted : Tuesday, November 17, 2020 5:43:19 PM(UTC)
DWAM

Rank: Advanced Member

Groups: Registered
Joined: 3/20/2014(UTC)
Posts: 2,721
Man
France
Location: Bordeaux, France

Thanks: 243 times
Was thanked: 794 time(s) in 589 post(s)
Et bé le bordeluche, on fait une crise de parano ?

Although some risks really exist, the biggest issue is not vMix WebController being on by default. Why ?

- first without port forwarding and appropriate rules on the router/firewall to explicitely allow access to port 8088, nothing can happen from the internet
- in case you set up the firewall to allow access, you still can define "who" can use this access
- alternatively access can be restricted over the internet only to those using your own VPN

Regarding the LAN users, there are 2 contexts:

- are you on your own LAN and do you control who can plug/connect to your infrastructure ?
- are you on a LAN you have no control over, like a shared network or a co-working place ?

In the 1st case I believe the risks are very limited (unless you don't treat your people right)
In the 2nd case, vMix and your Windows PC bring all the security features required to secure your setup.

I don't think the issue here is having a WebController enabled for LAN by default. The issue is most people don't know and don't care enough about networking and security and don't want to learn as long as "it" works. They will certainly learn the hard way, one day or another, when it's too late...

So I agree it's important to talk and inform about these issues, but I disagree it's vMix fault. vMix is not to blame (it brings and relies on an OS that have everything required to make it safe).
People are responsable for their use, their actions, their knowledge or lack of knowledge. Would you blame the hammer that was used to kill someone?

Instead of diffusing fear, if you really care about this, write a good practise manual... Do not blame vMix... Teach people... People are the biggest risk!
thanks 1 user thanked DWAM for this useful post.
elvis55 on 11/17/2020(UTC)
MickeyMJJ  
#3 Posted : Tuesday, November 17, 2020 5:59:26 PM(UTC)
MickeyMJJ

Rank: Advanced Member

Groups: Registered
Joined: 12/14/2018(UTC)
Posts: 129
France
Location: Clermont-Ferrand

Thanks: 30 times
Was thanked: 9 time(s) in 8 post(s)
I think indeed that everyone must take their responsibilities, and here it is not for the developers of vMix to do so.

When you allow external access, you are supposed to understand the risks and know how to manage your firewall.

Michael.
Pepsi(~)  
#4 Posted : Tuesday, November 17, 2020 7:20:58 PM(UTC)
Pepsi(~)

Rank: Advanced Member

Groups: Registered
Joined: 9/9/2020(UTC)
Posts: 94
Netherlands
Location: Noord-Brabant

Thanks: 3 times
Was thanked: 13 time(s) in 12 post(s)
I do agree with DWAM.
Why would you connect any system directy to the internet.
And if so the webportal is very useful if you are in the same network. (But just not behind your computer)
But even if there is a user ID and password (what you can set by the way) it is still HTTP. And HTTPS will shift the performance from why vmix is there to other topics.
In the broadcasting it is all about low latency and put performance in that.
Most systems run with a local admin account in a broadcasting network. Without anti virus. (I do have anti virus running, only not during a broadcast)
xbamaris  
#5 Posted : Wednesday, November 18, 2020 12:50:21 AM(UTC)
xbamaris

Rank: Member

Groups: Registered
Joined: 3/27/2013(UTC)
Posts: 15
Location: Wisconsin

Was thanked: 1 time(s) in 1 post(s)
While I agree there should be some form of password for the API, you can get around this with firewall rules probably on the vMix machine. Or put it on its own vLan and control the firewall rules with your main firewall.
xemles  
#6 Posted : Wednesday, November 18, 2020 2:37:37 AM(UTC)
xemles

Rank: Advanced Member

Groups: Registered
Joined: 11/25/2019(UTC)
Posts: 42
France, Metropolitan
Location: Bordeaux

Was thanked: 2 time(s) in 2 post(s)
Originally Posted by: DWAM Go to Quoted Post
Et bé le bordeluche, on fait une crise de parano ?

Although some risks really exist, the biggest issue is not vMix WebController being on by default. Why ?

- first without port forwarding and appropriate rules on the router/firewall to explicitely allow access to port 8088, nothing can happen from the internet
- in case you set up the firewall to allow access, you still can define "who" can use this access
- alternatively access can be restricted over the internet only to those using your own VPN

Regarding the LAN users, there are 2 contexts:

- are you on your own LAN and do you control who can plug/connect to your infrastructure ?
- are you on a LAN you have no control over, like a shared network or a co-working place ?

In the 1st case I believe the risks are very limited (unless you don't treat your people right)
In the 2nd case, vMix and your Windows PC bring all the security features required to secure your setup.

I don't think the issue here is having a WebController enabled for LAN by default. The issue is most people don't know and don't care enough about networking and security and don't want to learn as long as "it" works. They will certainly learn the hard way, one day or another, when it's too late...

So I agree it's important to talk and inform about these issues, but I disagree it's vMix fault. vMix is not to blame (it brings and relies on an OS that have everything required to make it safe).
People are responsable for their use, their actions, their knowledge or lack of knowledge. Would you blame the hammer that was used to kill someone?

Instead of diffusing fear, if you really care about this, write a good practise manual... Do not blame vMix... Teach people... People are the biggest risk!



I'm not being paranoid, there is hundreds of vMix that are setup without any proper firewall and they're not in my LAN.
On dedicated servers, there's most likely not a firewall.
If I say that it's not because I'm paranoid, it's because I've seen it.
I agree it isn't vMix's fault, but they could still do things to protect their users and avoid that.
xemles  
#7 Posted : Wednesday, November 18, 2020 2:40:03 AM(UTC)
xemles

Rank: Advanced Member

Groups: Registered
Joined: 11/25/2019(UTC)
Posts: 42
France, Metropolitan
Location: Bordeaux

Was thanked: 2 time(s) in 2 post(s)
Originally Posted by: xbamaris Go to Quoted Post
While I agree there should be some form of password for the API, you can get around this with firewall rules probably on the vMix machine. Or put it on its own vLan and control the firewall rules with your main firewall.


You have to understand that most people don't even know what LAN is.
I've seen dozens of churches, webtvs where I can get into their vMix, just because they didn't setup anything
xemles  
#8 Posted : Wednesday, November 18, 2020 2:41:16 AM(UTC)
xemles

Rank: Advanced Member

Groups: Registered
Joined: 11/25/2019(UTC)
Posts: 42
France, Metropolitan
Location: Bordeaux

Was thanked: 2 time(s) in 2 post(s)
Originally Posted by: MickeyMJJ Go to Quoted Post
I think indeed that everyone must take their responsibilities, and here it is not for the developers of vMix to do so.

When you allow external access, you are supposed to understand the risks and know how to manage your firewall.

Michael.


"When you allow external access"
The people I've talked to didn't even know external access was allowed, just because it was there by default.
Users browsing this topic
Guest (2)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.